Check RRset trust in validate_neg_rrset()

In many places we only create a validator if the RRset has too low trust (the RRset is pending validation, or could not be validated before). This check was missing prior to validating negative response data. (cherry picked from commit 6ca67f65cd)
2026-05-26 03:12:16 -04:00 · 2026-03-03 11:43:23 +01:00 · 2026-03-03 11:43:23 +01:00 · 85fcd704e2
commit 85fcd704e2
parent 8890a91c1c
1 changed files with 13 additions and 4 deletions
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -2463,6 +2463,17 @@ validate_neg_rrset(dns_validator_t *val, dns_name_t *name,
 		}
 	}

+	if (rdataset->type != dns_rdatatype_nsec &&
+	    DNS_TRUST_SECURE(rdataset->trust))
+	{
+		/*
+		 * The negative response data is already verified.
+		 * We skip NSEC records, because they require special
+		 * processing in validator_callback_nsec().
+		 */
+		return DNS_R_CONTINUE;
+	}
+
 	val->currentset = rdataset;
 	result = create_validator(val, name, rdataset->type, rdataset,
 				  sigrdataset, validator_callback_nsec,
@ -2573,11 +2584,9 @@ validate_ncache(dns_validator_t *val, bool resume) {
 		}

 		result = validate_neg_rrset(val, name, rdataset, sigrdataset);
-		if (result == DNS_R_CONTINUE) {
-			continue;
+		if (result != DNS_R_CONTINUE) {
+			return result;
 		}
-
-		return result;
 	}
 	if (result == ISC_R_NOMORE) {
 		result = ISC_R_SUCCESS;